OCIError: Error uploading artifact to container registry with Google Artifact Registry

Hey,

I am trying to use `actions/attest-build-provenance` to attest an image that is being uploaded to GAR.

I copied the [demo action](https://github.com/bdehamer/attest-demo/blob/main/.github/workflows/oci-google.yml) created by @bdehamer as much as possible, but `actions/attest-build-provenance` is failing with an error message that is hard to understand for me:

```
Error: OCIError: Error uploading artifact to container registry
FetchError: request to https://europe-west1-docker.pkg.dev/v2/[redacted]/security-gh-attestations/blobs/uploads/ failed, reason: Parse Error: Header overflow
```

![Image](https://github.com/user-attachments/assets/65ba8d74-51f2-4adb-80a0-a3b8b43e93d7)

My action:
```yml
permissions:
  id-token: write
  contents: write
  attestations: write

env:
  REGISTRY: europe-west1-docker.pkg.dev
  IMAGE_NAME: e-security-experiments/docker/${{ github.repository }}
  GCP_PROJECT_ID: e-security-experiments
  GCP_WIP: [redacted]

name: Build and attest image

on:
  push:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.24.1"

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: GCP Auth
        id: gcp_auth
        uses: "google-github-actions/auth@v2"
        with:
          project_id: ${{ env.GCP_PROJECT_ID }}
          workload_identity_provider: ${{ env.GCP_WIP }}

      # We cannot use gcloud auth configure-docker because it is not supported by actions/attest-build-provenance
      - name: Login to Google Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: oauth2accesstoken
          password: ${{ steps.gcp_auth.outputs.auth_token }}

      - name: Build binary
        run: go build -v -o main main.go

      - name: Build and push Docker image
        id: docker_build_push
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.docker_build_push.outputs.digest }}
          push-to-registry: true

      - name: Fetch artifact index
        run: |
          oras discover --format json ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | jq
```

I think it fails in `@sigstore/oci`: in the `Registry.uploadBlob` function called here https://github.com/sigstore/sigstore-js/blob/main/packages/oci/src/image.ts#L78, but I could not debug it further.

Thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OCIError: Error uploading artifact to container registry with Google Artifact Registry #606

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

OCIError: Error uploading artifact to container registry with Google Artifact Registry #606

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions